Authentication using magnetic field based on current drawn by security device

ABSTRACT

Systems and methods for determining authenticity of a security device of a component in an imaging device includes receiving, by the security device, an authentication challenge including one or more commands and executing, by the security device, the one or more commands in response to receiving the authentication challenge. A magnetic field profile is generated based on current drawn by the security device from a power source while the security device is executing the one or more commands, the generated magnetic field profile indicating an authentication response of the security device to the authentication challenge for use in determining authenticity of the security device.

CROSS REFERENCES TO RELATED APPLICATIONS

This application claims priority as a continuation application of U.S.patent application Ser. No. 17/840,979, filed Jun. 15, 2022, having thesame title.

FIELD OF THE INVENTION

The present disclosure relates generally to authentication schemes, andmore particularly to authentication of security devices using magneticfield-based authentication. Particular embodiments include methods ofgenerating a magnetic field profile when a security device draws currentwhile executing commands in response to an authentication challenge andusing the magnetic field profile as a response to the authenticationchallenge.

BACKGROUND

In some imaging devices, supply items such as ink and toner cartridgesare replaceable due to depletion of the consumable therein. In othersupply items, such as imaging units and fusers, they are replaceable dueto wear of physical mechanisms. It is common to place security devicesor integrated circuits with encryption and authentication circuits,based on digital technology, on supply items and connect these securitydevices with a controller in the printer. The controller usuallycontains a system-on-chip (SoC) and non-volatile memory (NVM) from whichit executes firmware to direct the authentication of security devices onsupply items to verify whether the supply items are genuine andauthentic.

In some cases, the same security device (which may be referred to as asystem security device) is also placed on the controller to reduce thelikelihood of tampering during the authentication of security devices onsupply items. In such an arrangement, the controller may verify theauthenticity of the supply item by generating and sending acryptographic challenge, either directly from the SoC or through thesystem security device, to the security device on the supply item whichgenerates a response and returns it to the controller. For example, in atypical cryptographic based authentication, authentication begins withthe SoC instructing the system security device to generate anauthentication challenge that is sent it to a supply item securitydevice. The supply item security device next generates a response to thechallenge and returns the response to the system security device. Inturn, the system security device verifies the response to determine theauthenticity of the security device on the supply item. Since thechallenge and response are both generated and communicated digitallyover a serial interface, the authentication produces a deterministicresult in which execution produces the same result under the samecircumstances and/or inputs. If the SoC verifies that the securitydevice on the supply item responds correctly to the challenge, thesupply item is determined to be authentic. Otherwise, if the securitydevice on the supply item responds incorrectly, the supply item isdetermined to be non-authentic and an enforcement action may beinitiated. The enforcement action may consist of no notification to theuser, notification to the user that a non-authentic supply item isinstalled, or notification to the user that an unsupported supply itemis installed. In some cases, if a security device is copied, it mayproduce the same digital response as an authentic device making itdifficult to distinguish a non-authentic device from an authenticdevice, so a new method of authentication is desired.

One of the difficulties, however, in developing security devices basedon integrated circuit technology (security chips) is that they aresusceptible to being reverse engineered by an attacker either decryptingdata communicated over a digital interface or copying the securitydevice using chip delayering, imaging, netlist extraction, memoryextraction techniques, and the like. If a security device is reverseengineered and copied, it may produce the same digital behavior as theauthentic device making it challenging to distinguish a non-authenticdevice from an authentic device. As a result, the inventors recognizedesirability to develop new methods of authenticating security deviceson supply items beyond those digital methods known in the art.

The authentication system disclosed in U.S. patent application Ser. No.17/469,601 entitled “Authentication Using Current Drawn by SecurityDevice” introduced the use of current drawn by a security device inresponse to an execution of a command or a series of commands as anauthentication parameter. Because the current drawn by the securitydevice is expected to be a unique physical attribute of the securitydevice, the inventors have discovered that the current drawn may be usedin whole or in part to determine authenticity of the security device.Specifically, a current monitor circuit can be used to convert thecurrent drawn by the security device into an analog voltage when atrigger condition is detected. The analog voltage is then converted intoa digital value by an analog-to-digital converter (ADC) and the digitalvalue is captured and stored in memory as a captured current profile.The captured current profile is then compared with the expected currentprofile (which is predetermined and stored in memory or dynamicallygenerated) and a determination is made of the authenticity of thesecurity device on the supply item. The inventors further recognize aneed to provide additional methods for authentication of securitydevices on supply items.

SUMMARY

The foregoing and other are solved by using magnetic field-basedauthentication where magnetic field profiles, generated based on currentdrawn by security devices when the security devices respond toauthentication challenges, are used as responses to the authenticationchallenges. In one embodiment, a method is disclosed for determiningauthenticity of a security device of a component in an imaging device.The method includes receiving, by the security device, an authenticationchallenge including one or more commands and executing, by the securitydevice, the one or more commands in response to receiving theauthentication challenge. A magnetic field profile is generated based oncurrent drawn by the security device from a power source while thesecurity device is executing the one or more commands, the generatedmagnetic field profile indicating an authentication response of thesecurity device to the authentication challenge for use in determiningauthenticity of the security device and, in turn, the component.Authentication may be one-way authentication where a componentauthenticates another component, mutual authentication where twocomponents authenticate each other, or self-authentication where acomponent authenticates itself. In one aspect, a component is acontroller of the imaging device or a supply item, such as a tonercartridge, of the imaging device.

In another embodiment, a method is disclosed for generating a responseto an authentication challenge for determining authenticity of acomponent in an imaging device. The method includes receiving, by thecomponent, an authentication challenge including one or more commandsand executing, by the component, the one or more commands included inthe authentication challenge in response to receiving the authenticationchallenge, wherein the component draws current from a power source whileexecuting the one or more commands. A magnetometer, placed a distancefrom a conductor carrying the current drawn by the component whileexecuting the one or more commands, measures a magnetic field around theconductor and a magnetic field profile is generated based on themeasured magnetic field. The generated magnetic field profile is thenused as a response to the authentication challenge.

In another embodiment, a device in a component for use in determiningauthenticity of the component in an imaging device is disclosed. Thedevice includes a security device and a magnetometer device. Thesecurity device is electrically connected to a power source thatdelivers current to the security device via a conductor when thesecurity device executes one or more commands included in anauthentication challenge in response to the security device receivingthe authentication challenge. The magnetometer device is positioned adistance from the conductor that carries the current being deliveredfrom the power source to the security device when the security deviceexecutes the one or more commands. The magnetometer device is operativeto measure a magnetic field around the conductor when the securitydevice executes the one or more commands to generate a magnetic fieldprofile indicating an authentication response of the security device tothe authentication challenge.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an imaging system according to one exampleembodiment;

FIG. 2 is a block diagram illustrating communication between acontroller and a plurality of supply items according to one exampleembodiment;

FIG. 3 is a graph illustrating an example magnetic field profile that isgenerated by an authentic security device in response to anauthentication challenge;

FIG. 4 is a graph illustrating an example expected magnetic fieldprofile of an authentic security device;

FIG. 5 is a graph illustrating an example magnetic field profile that isgenerated by a non-authentic security device;

FIG. 6 is a flowchart illustrating an example method of one-wayauthentication where a security device on a controller authenticates asecurity device on a supply item, according to one example embodiment;

FIG. 7 is a flowchart illustrating an example method of one-wayauthentication where a security device on a supply item authenticates asecurity device on the controller, according to one example embodiment;

FIG. 8 is a flowchart illustrating an example method ofself-authentication where a security device on the controllerauthenticates itself, according to one example embodiment;

FIG. 9 is a block diagram of an example embodiment where a magnetometerdevice is placed on a controller;

FIG. 10 is a block diagram of an example embodiment where pluralmagnetometer devices are placed on a controller and plural supply items;

FIG. 11 is a block diagram of an example embodiment where pluralmagnetometer devices are placed on a controller and plural supply items,wherein each magnetometer device on a supply item communicates amagnetic field profile measurement to a co-located security device onthe same supply item;

FIG. 12 is a block diagram of an example embodiment where a magnetometerdevice and a security device are assembled in a multi-chip module (MCM)package, wherein the magnetometer device and the security device areplaced horizontally side by side (2D package) on a substrate;

FIG. 13 is a block diagram of an example embodiment where a magnetometerdevice and a security device are assembled in a multi-chip module (MCM)package, wherein a magnetometer chip and a security chip are placedvertically in a chip-on-chip stack (3D package) on a substrate; and

FIG. 14 is a block diagram of an example embodiment where a magnetometerdevice and a security device are integrated in a single chip, whereinthe magnetometer device and the security device are fabricated on a samesemiconductor substrate.

DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS

The present disclosure provides methods to authenticate supply itemsusing security chips based on the magnetic field profile that isgenerated when a security device draws current while executing a commandin response to an authentication challenge. Because the magnetic fieldaround a conductor is known to be proportional to the current flowing ina conductor and because this unique physical characteristic isrelatively difficult to copy or emulate, capturing a magnetic fieldprofile and using it as part of an authentication process may greatlyimprove the ability to authenticate genuine supply items even whensecurity chips have been reverse engineered and copied to produceunauthentic supply items that exhibit the same digital behavior as withgenuine supply items.

With reference to FIG. 1 , a diagrammatic view of an imaging system 10is shown according to an example embodiment. Imaging system 10 includesan imaging device 15 used for printing images on sheets of media. Imagedata of the image to be printed on a media sheet may be supplied toimaging device 15 from a variety of sources such as a computer 20,laptop 25, mobile device 30, scanner 35, or like computing device. Thesources directly or indirectly communicate with imaging device 15 viawired and/or wireless connections. Imaging device 15 includes acontroller 40, a user interface 45, and a power supply unit 50.Controller 40 may include a processor and associated memory. In someexample embodiments, controller 40 may be formed as one or moreApplication Specific Integrated Circuits (ASICs) or System-on-Chips(SoCs). Controller 40 may control the processing of print data.Controller 40 may also control the operation of a print engine duringprinting of an image onto a sheet of media. Power supply unit typicallyincludes analog circuitry necessary to convert AC voltage from the ACmains to one or more regulated DC voltages for use by components ofimaging device 15. Power supply unit 50 may deliver appropriateregulated DC voltage levels to various components and circuitries via apower bus 52.

In one example embodiment, imaging device 15 employs an electronicauthentication scheme to authenticate consumable supply items and/orreplaceable units installed in imaging device 15. In FIG. 1 , arepresentative replaceable unit or supply item 55, such as a tonercartridge, an imaging unit, a fuser, an intermediate transfer unit, awaste toner box, etc., is shown. Supply item 55 may be installed in acorresponding storage area 57 in imaging device 15. Supply item 55includes an integrated circuit chip or security device 60 thatcommunicates with controller in imaging device 15. Controller 40 mayinitiate authentication challenges to verify authenticity of supplyitems 55. The authenticity is verified if the supply item 55 beingauthenticated generates an expected response to an authenticationchallenge. Otherwise, the supply item 55 may be detected as a clone orcounterfeit and appropriate actions may be taken to protect against theuse of supply item 55 in order to optimize performance of and/or preventdamage to imaging device 15.

FIG. 2 is a block diagram illustrating communication between controller40 and a plurality of supply items 55. In the embodiment illustrated,controller 40 includes a System-on-Chip (SoC) 70 including a processor72. Security devices 60 are placed on supply item(s) 55 and oncontroller 40. The security devices are generally designated as securitydevices 60, but the security device placed on controller 40 may bereferred to herein as system security device 60 a and each securitydevice placed on each supply item 55 may be referred to herein as supplyitem security device 60 b for ease of description. Controller 40 alsoincludes a power source 85, shown as a voltage regulator orvoltage/ground source, that receives power from power supply unit 50 anddelivers power to security devices 60 via a power bus 90. As a result,security devices 60 operate by drawing power from power source 85.

In one embodiment, host firmware 75 running in SoC 70 is configured toinitiate authentication methods for validating authenticity of one ormore of security devices 60. SoC 70 is configured to verify authenticityof security devices 60 in imaging device 15 using information associatedwith a magnetic field profile that is generated when a security device60 draws current from power source 85 to perform an operation inresponse to receiving an authentication challenge. In this example, theauthentication challenge may include one or more commands that resultsin the execution of one or more operations by the security device 60that is to be authenticated.

As an example, when a security device 60 comprised of at least oneintegrated circuit (IC) is placed on supply item 55 in imaging device15, it will consume current (I) from power source that fluctuatesbecause of the circuit switching activity resulting from the executionof one or more commands. The fluctuating current (I) drawn by thesecurity device 60 will generate a fluctuating magnetic field (B) adistance (r) from the conductor (C) carrying the current (I). Theamplitude of the magnetic field (B) is proportional to the current (I)divided by the distance (r) as shown by the following Equation (1):

$\begin{matrix}{B = \frac{\mu_{0}I}{2\pi r}} & {{Eq}.(1)}\end{matrix}$

where B is the magnetic field strength, I is the electric currentflowing through the conductor, μ₀ is the permeability of free space, andr is the distance from the conductor. Several measurements of thefluctuating magnetic field amplitude (B) may be made over time tocapture a magnetic field profile by placing a magnetometer device 100 adistance (r) from the conductor C carrying the current (I). The SoC 70is configured to sample the output of magnetometer device 100 andgenerate a magnetic field profile based on the output of magnetometerdevice 100, and then store the generated magnetic field profile as acaptured magnetic field profile 110 in memory 95 and use the capturedmagnetic field profile 110 as an authentication parameter.

The magnetometer device 100 used to capture a magnetic field profile maybe constructed with any of magnetic field measurement technologies knownin the art. For example, the magnetometer device 100 may include halleffect technology and magnetoresistance technology. The type ofmagnetometer device may be chosen so that its magnetic field measurementrange and resolution matches the peak-to-peak amplitude of the magneticfield generated near the conductor carrying current to a security device60. The magnetometer device may also be chosen so that it makes multiplemeasurements of the magnetic field along one or more axes (e.g., Xand/or Y and/or Z) during a measurement interval that may begin upondetecting a configured trigger condition and end after a configuredmeasurement duration.

SoC 70 is programmable to set at least one trigger condition to enablesampling from the output of magnetometer device 100. In one example, theexecution by a security device 60 of a first operation of anauthentication challenge may be set as a trigger condition. In anotherexample, the trigger condition may be a logical operation (e.g., asimple event performed by SoC 70 or security device 60) or a series oflogic operations (e.g., a complex series of events performed by SoC 70or security device 60). In other examples, the trigger condition may beany signal communicated over the communications channel between SoC 70and security devices 60.

The magnetic field profile of an authentic security device and themagnetic field profile of a non-authentic security device are expectedto be different when captured as a response to an authenticationchallenge due to the differences in IC technology, circuit switchingactivity, and current fluctuation. As a result, a magnetic field profilemay be captured during a measurement interval and used as a response toan authentication challenge, where the challenge consists of one or morecommands executed by the security device 60 (such as, but not limitedto, an encryption or decryption or verification command or a combinationof commands, etc.) and where parameters stored in memory 62 are used torandomize the command (such as, but not limited to, a cipher type, keylength, source data size, source data address, hash output size,operating frequency, number of iterations, measurement duration,measurement period, measurement resolution, etc.) as discussed ingreater detail below. On the other hand, the magnetic field profile ofeach instance of an authentic security device (e.g., manufactured withthe same mask set and same semiconductor process) in response to thesame authentication challenge is expected to be similar due to thecommon integrated circuit technology and circuit switching activity andsimilar current fluctuation. This difference in magnetic field profilesmay be determined and used to authenticate security devices.

An authentication algorithm may be used to determine the authenticity ofthe security device 60 by comparing the captured magnetic field profile110 with an expected magnetic field profile 115 of an authentic securitydevice. The expected magnetic field profile 115 may be predetermined bycharacterization of multiple instances of an authentic security deviceand stored in memory 105 on controller 40 during manufacturing. Duringuse of imaging device 15, predetermined magnetic field profiles storedin memory 105 may be read into memory 95 on SoC Alternatively, theexpected magnetic field profile 115 may be dynamically determined bycapturing a magnetic field profile from another instance of theauthentic security device 60 placed on the controller 40 that istrusted. The authentication algorithm may be a simple equal to orgreater than authenticity test or it may be a more complex statisticalcorrelation test (such as the Pearson Correlation Coefficient) with apredetermined correlation threshold used to determine authenticity ofthe security device 60. The security device 60 on the supply item 55 oron the controller 40 is determined to be authentic if the result of thecomparison exceeds the predetermined threshold and is determined to benon-authentic if the results of the comparison do not exceed thepredetermined threshold. Alternatively, reverse logic may be used forthe comparison as desired. Host SoC 70 may command any of securitydevices 60 to generate an authentication challenge and send thegenerated authentication challenge to any of the other security devices60. Accordingly, the authentication protocol may be any combination ofone-way authentication, mutual authentication, and self-authentication,as discussed in greater detail below.

FIG. 3 shows an example magnetic field profile 120 that is generated byan authentic security device as a response to an authenticationchallenge where discrete samples of magnetic field amplitudes arerepresented by the “dots” in the graph over a 100 millisecondmeasurement interval. In this example, the magnetic field profile 120 isgenerated when security device 60 draws current from power source 85 toperform operations in response to receiving an authentication challengeconsisting of an EncDecVer command (defined herein as a combination ofan encryption, decryption, and verification operation) that israndomized by parameters (e.g., parameters 1-7 listed below) stored inmemory 62 of the security device 60. Hereinafter, the magnetic fieldprofile that is generated and captured as a result of a security devicedrawing current from power source 85 to perform one or more operationsin response to an authentication challenge may also be referred to as amagnetic field profile response 110. The magnetic field profile response110 is measured by magnetometer device 100 that is configured withparameters (e.g., parameters 8-10 listed below) stored in memory 62 ofthe security device 60. Each command in an authentication challenge maybe defined to use one or more parameters that may be fixed or frequentlychanged (e.g., each time the security device 60 is authenticated). Itshould be noted, however, that the command, parameters, operations,configuration, and measurements described herein are only illustrativeas many variations of the components of this invention may be definedand used as an authentication challenge to generate a responseconsisting of a fluctuating magnetic field that may be measured overtime and captured as a magnetic field profile and used to authenticatesecurity devices.

Command: EncDecVer

-   -   Parameter (1) Cipher Type: RSA    -   Parameter (2) Key Length: 2048-bit    -   Parameter (3) Source Data Size: 256-byte    -   Parameter (4) Source Data Address: 0    -   Parameter (5) Hash Output Size: 256-bit    -   Parameter (6) Operating Frequency: 10 Mhz    -   Parameter (7) Number of Iterations: 2    -   Parameter (8) Measurement Duration: 100 milliseconds    -   Parameter (9) Measurement Period: 1 millisecond    -   Parameter (10) Measurement Resolution: 16-bits

An authentic security device generates an authentic magnetic fieldprofile response 110 by using the parameters stored in the internalmemory, shown as non-volatile memory (NVM) 62, of the security device 60to configure the security device 60 (e.g., the security device'soperating frequency, etc.) and randomize the authentication challengecommand executed by the security device 60 (e.g., cipher type, keylength, source data size, source data address, hash output size, numberof iterations, etc. of the authentication challenge command). As anexample, with an EncDecVer challenge command that is randomized byparameters 1-7 listed above, the authentication challenge results in theexecution by the security device of the following operations:

-   -   Operation (1): Encrypt, using RSA-2048 (Cipher Type and Key        Length parameters), 256 bytes (Source Data Size parameter) of        source data located in internal memory of the security device        starting at address 0 (Source Data Address parameter) and store        the 256-byte encrypted result in internal memory of the security        device starting at address 256 (Source Data Address plus the        Source Data Size parameters).    -   Operation (2): Decrypt, using RSA-2048 (Cipher Type and Key        Length parameter), the 256-byte encrypted result starting at        address 256 (Source Data Address plus Source Data Size        parameters) and store the 256-byte decrypted result in internal        memory of the security device starting at address 256 (Source        Data Address plus Source Data Size parameters).    -   Operation (3): Verify that the original 256 bytes (Source Data        Size parameter) of source data located in internal memory of the        security device starting at address 0 (Source Data Address        parameter) matches the 256-byte decrypted result located in        internal memory of the security device starting at address 256        (Source Data Address plus Source Data Size parameters) using the        SHA algorithm to generate the 256-bit hash output (Hash Output        Size parameter) for each of the original source data and the        decrypted result, and compare the two hash outputs to verify the        result. Securely communicate the result of the verification to        the SoC 70.    -   Operation (4): Repeat Operation (1), (Number of Iterations        parameter).    -   Operation (5): Repeat Operation (2), (Number of Iterations        parameter).    -   Operation (6): Repeat Operation (3), (Number of Iterations        parameter).

In this example, the authentication challenge includes commands thatresults in the execution of six operations (Operations 1-6) by thesecurity device 60 including two iterations of three sequentialoperations (Operations 1-3) that generates the magnetic field profileresponse 110 measured by the magnetometer device 100 when configuredwith the parameters stored in the security device (e.g., measurementperiod, resolution, etc.). The magnetic field measurements are capturedduring a measurement interval (e.g., beginning with a trigger conditionand ending after the measurement duration, etc.) and stored in memory asthe captured magnetic field profile 110.

In this example, the fluctuating current drawn by the unique circuitswitching activity of the authentic security device, when executing thesix operations defined by the authentication challenge, generates afluctuating magnetic field near the conductor carrying current to thesecurity device 60. In the above example, the magnetic field is measuredby the magnetometer device 100 every 1 millisecond (as defined byMeasurement Period of Parameter 9 above) starting with the execution ofthe first operation of the challenge (defined in this example as thetrigger condition) and continuing for 100 milliseconds (as defined byMeasurement Duration of Parameter 8 above), which may be approximatelythe time it takes to complete the execution of the last operation of thechallenge. The magnetic field profile response is captured and stored inmemory as a dataset of 100 16-bit (as defined by Measurement Resolutionof Parameter 10 above) magnetic field amplitude measurements.

The expected magnetic field profile response may be predetermined bycharacterizing several responses of authentic security devices to theauthentication challenge command and parameters, and then storing theexpected magnetic field profile response as a predetermined magneticfield profile in memory on the controller 40 or on the security device60. Alternatively, the expected magnetic field profile response may bedynamically generated and captured from another instance of the samesecurity device that is trusted (e.g., system security device 60 aplaced on the controller 40 in imaging device 15). When the expectedmagnetic field profile response is predetermined, it may be combinedwith other device specific information (such as a serial number of asupply item) and signed with a digital signature algorithm (such asElliptic Curve Digital Signature Algorithm or ECDSA) and encrypted withan encryption algorithm (such as Advanced Encryption Standard or AES).Both signature and encrypted result may be stored in the NVM memory 105on the controller 40 or on the supply item 55.

FIG. 4 shows an example expected magnetic field profile 125 of anauthentic security device 60. In this example, the expected magneticfield profile response is dynamically generated by capturing themagnetic field profile response of the trusted system security device 60a on the controller 40 in imaging device 15 when it executes the sameauthentication challenge (e.g., EncDecVer command and parameters) aspreviously described. The magnetic field generated by the trusted systemsecurity device 60 a is measured by the magnetometer device 100 in thesame way as previously described (e.g., 100 magnetic field amplitudemeasurements spaced 1 millisecond apart starting with the execution ofthe first operation of the challenge and ending after the completion ofthe last operation of the challenge) and the expected magnetic fieldprofile response is captured and stored in memory as a dataset of 10016-bit magnetic field amplitude measurements.

The magnetic field profile responses of authentic security devices(e.g., security devices manufactured with same mask set in the samesemiconductor process) are expected to vary slightly due to part to partmanufacturing variation, but they will show a high degree of statisticalcorrelation when the actual magnetic field profile response of anauthentic security device is compared with the expected magnetic fieldprofile response of an authentic security device using, for example, anauthentication algorithm such as the Pearson Correlation Coefficient. Inthe above example, the magnetic field profile 120 (FIG. 3 ) generated byan authentic security device is relatively similar to the expectedmagnetic field profile 125 (FIG. 4 ) of an authentic security device. Insome cases, matches between generated magnetic field profile of anauthentic security device and the expected magnetic field profile may beclose but not exact. To determine authenticity, a generated magneticfield profile must meet an acceptable level of similarity or closenessto an expected magnetic field profile. As an example, a predeterminedthreshold, such as a Pearson Correlation Coefficient of 0.8 or greater,may be used for authentication. In this example, a resulting statisticalcorrelation value less than the threshold of 0.8 indicates a weakerstrength of association between the captured magnetic field profileresponse and the expected magnetic field profile response, whereas aresulting statistical correlation value greater than or equal to thethreshold of 0.8 indicates a stronger strength of association betweenthe captured magnetic field profile response and the expected magneticfield profile response. If the result of the correlation between thecaptured magnetic field profile response of an authentic security deviceand the expected response of an authentic security device passes thepredetermined threshold, the authentic security device may be identifiedand authenticated. In this example, the result of the correlationbetween the captured magnetic field profile response of an authenticsecurity device, shown in FIG. 3 , and the expected response of anauthentic security device, shown in FIG. 4 , passes the predeterminedthreshold.

However, a non-authentic security device is expected to have circuitswitching and current consumption characteristics that varysignificantly from an authentic security device when executing the sameauthentication challenge command and parameters due to the differencesin circuit construction and semiconductor process technology. Thesedifferences may manifest themselves in a magnetic field profile responseof a non-authentic security device that will not be statisticallycorrelated with the expected magnetic field profile response of anauthentic security device using the same predetermined threshold. Forexample, a non-authentic security device with these differences incircuit construction and semiconductor process technology may generate amagnetic field profile 130 illustrated in FIG. 5 in response to the sameauthentication challenge (e.g., EncDecVer command and parameters) aspreviously described. The magnetic field of the non-authentic securitydevice is measured by the magnetometer device 100 in the same way aspreviously described (a total of 100 magnetic field amplitudemeasurements spaced 1 millisecond apart starting with the execution ofthe first operation of the challenge and ending after the completion ofthe last operation of the challenge) and the magnetic field profileresponse is captured and stored in memory as a dataset of 100 16-bitmagnetic field amplitude measurements.

In this example, a non-authentic security device will not be able togenerate a magnetic field profile response with sufficient accuracy toproduce a high degree of statistical correlation when the magnetic fieldprofile response of the non-authentic security device is compared withthe expected magnetic field profile response of an authentic securitydevice using an authentication algorithm such as the Pearson CorrelationCoefficient. FIG. 5 shows an example magnetic field profile response 130from a non-authentic security device which deviates from the expectedmagnetic field profile 125 shown in FIG. 4 . In this case, the result ofthe correlation between the magnetic field profile response of thenon-authentic security device shown in FIG. 5 and the expected magneticprofile response of an authentic security device shown in FIG. 4 willnot pass the predetermined threshold, such as the Pearson CorrelationCoefficient 0.8 or greater, used for authentication and thenon-authentic security device may be identified and not beauthenticated.

The following describes, in summary, different elements of the inventionthat may be used to authenticate a security device based on a capturedmagnetic field profile in response to an authentication challenge asdescribed above.

-   -   1) Place a magnetometer IC that can measure a magnetic field        near a conductor carrying current from a voltage regulator to a        security device IC.    -   2) Place a security device IC that will draw current and        generate a magnetic field near the conductor carrying the        current to the security device IC on a supply item and on the        controller.    -   3) Program and configure the magnetometer IC to measure the        magnetic field near the conductor carrying the current to the        security device IC when a trigger signal is present.    -   4) Program and configure the security device IC to execute one        or more commands with optional parameters that will cause it to        consume current over a measurement interval.    -   5) Define a measurement interval that begins with a programmable        trigger condition and continues for a programmable duration to        coincide with the execution time in whole or part of one or more        commands executed by the security device IC.    -   6) Trigger the security device IC to execute one or more        commands and simultaneously trigger the magnetometer IC to        measure the magnetic field during the measurement interval.    -   7) Capture the magnetic field profile measured by the        magnetometer IC during the measurement interval and store it in        memory.    -   8) Compare the captured magnetic field profile with the expected        magnetic field profile (predetermined and stored in memory or        dynamically captured from the system security device) using a        suitable authentication algorithm.    -   9) Determine that the security device IC is authentic if the        result of the comparison of the captured magnetic field profile        and expected magnetic field profile is greater than or equal to        a predefined threshold. Otherwise, determine that the security        device IC is non-authentic.    -   10) Perform a predetermined enforcement action if the security        device IC is determined to be authentic and perform another        predetermined enforcement action if the security device IC is        determined to be non-authentic.

Various embodiments of the methods will now be described, but theexamples provided should not be viewed as exhaustive as there are manyembodiments that may be used to authenticate security devices usingmagnetic field-based authentication and all combinations of theseelements are considered embodiments herein. Additionally, many differentauthentication algorithms (such as Pearson Correlation Coefficient) andpredetermined thresholds may be used to authenticate security devicesand these authentication algorithms may be performed by firmwareexecuting on a security device or an SoC. Further, the authentication ofsecurity devices disclosed herein may use one-way authenticationprotocol, mutual-authentication protocol, or self-authenticationprotocol in any of the following ways.

-   -   A security device on a controller may authenticate a security        device on a supply item (one-way authentication).    -   A security device on a supply item may authenticate a security        device on a controller (one-way authentication).    -   A security device on a controller and a security device on a        supply item may authenticate each other (mutual authentication).    -   A security device on a first supply item may authenticate        another security device on a second supply item (one-way        authentication).    -   A security device on a first supply item and another security        device on a second supply item may authenticate each other        (mutual authentication).    -   A security device on a controller may authenticate itself        (self-authentication).    -   A security device on a supply item may authenticate itself        (self-authentication).

FIG. 6 illustrates an example method of one-way authentication wheresystem security device 60 a on controller 40 authenticates a supply itemsecurity device 60 b on a supply item 55. At block 140, SoC 70 sends astart authentication command to system security device 60 a for systemsecurity device 60 a to initiate authentication of a supply itemsecurity device 60 b. In response to receiving the start authenticationcommand from SoC 70, system security device 60 a generates anauthentication challenge/command and sends the authenticationchallenge/command to the supply item security device 60 b that is to beauthenticated at block 142. In one example, system security device 60 agenerates the authentication challenge/command by computing a randomchallenge which may consist of one or more commands, such as (but notlimited to) an encryption, decryption, or verification command, or acomplex command consisting of a combination of multiple individualcommands. Each command may be selected randomly from a predetermined setof commands and randomized using parameters stored in memory.Alternatively, each command may be generated randomly by using otherparameters such as (but not limited to) cipher type, key length, sourcedata size, source data address, hash output size, operating frequency,number of iterations, etc., to modify and randomize a predeterminedcommand.

At block 144, supply item security device 60 b generates a magneticfield profile response by executing the one or more commands specifiedby the authentication challenge/command. The magnetometer device 100measures the generated magnetic field profile response during ameasurement interval as the supply item security device 60 b drawscurrent from the power source while executing the one or more commands,and then sends the measured magnetic field profile response to the SoC70 to store in memory as a captured magnetic profile response at block146.

At block 148, SoC 70 generates an expected magnetic profile response bydynamically generating or computing the expected magnetic field profileresponse from the system security device 60 a or by reading apredetermined value from memory 105. For example, the expected magneticfield profile response may be generated by reading from a predeterminedfinite number of expected magnetic field profile responses staticallystored in non-volatile memory 105 on the controller 40 or on thesecurity device 60. Alternatively, the expected magnetic field profileresponses may be stored in a cloud database indexed by a finite sizehash of device specific information and accessed by the controller 40through a secure network connection. In another example, where asecurity device on the controller 40 and a security device on the supplyitem 55 are instances of the same security device, the expected magneticfield profile response of a first security device to an authenticationchallenge may be dynamically generated by generating the same magneticfield profile response of a second security device using the sameauthentication challenge and parameters as was used for the firstsecurity device. As an example, SoC 70 may command system securitydevice 60 a and supply item security device 60 b to each generate amagnetic field profile response to an authentication challenge with thesame parameters. SoC 70 may then measure each of the responses from thesystem security device 60 a and supply item security device 60 b andcompare them. If system security device 60 a is considered as thereference, the response from system security device 60 a is set as theexpected magnetic field profile response and the response from supplyitem security device 60 b must match the response from system securitydevice 60 a within margins for supply item security device 60 b to beconsidered authentic.

At block 150, SoC 70 verifies the actual magnetic field profile responseof supply item security device 60 b by comparing it with the expectedresponse using a statistical correlation algorithm and a predeterminedthreshold. For example, the captured magnetic field profile response andthe expected magnetic field profile response may be compared usingPearson correlation coefficients. With a Pearson correlation coefficientof 0.8 used as a predetermined threshold, for example, a correlationcomputation between the captured magnetic field profile response and theexpected magnetic field profile response that results in a Pearsoncorrelation coefficient below 0.8 may indicate a relatively weakrelationship between the actual captured response and the expectedresponse. On the other hand, a correlation computation between thecaptured response and the expected response that results in a Pearsoncorrelation coefficient equal to or greater than 0.8 may indicate arelatively strong relationship between the actual response and theexpected response.

At block 152, a determination is made whether the captured magneticfield profile response of supply item security device 60 b matches theexpected response. For instance, in the above example, it may bedetermined that the captured response does not match the expectedresponse if the resulting Pearson correlation coefficient of thecorrelation computation is less than the predetermined threshold of 0.8.Otherwise, if the correlation computation results in a Pearsoncorrelation coefficient that is greater than or equal to thepredetermined threshold of 0.8, it may be determined that the actualresponse of the supply item security device 60 b matches the expectedresponse.

When it is determined at block 152 that the actual magnetic fieldprofile response matches the expected response, an indication may bemade that supply item security device 60 b (and, consequently, supplyitem 55) is authentic at block 154. Otherwise, when it is determined atblock 152 that the actual response does not match the expected response,an indication may be made that supply item security device 60 b (and,consequently, supply item 55) is non-authentic at block 156. One or moreenforcement actions may be performed to protect against the use of thenon-authentic supply item and/or prevent damage to imaging device 15.For example, the enforcement action may include preventing use of thenon-authentic supply item in imaging device 15 and/or notifying the userthat a non-authentic/unsupported supply item is installed.

FIG. 7 illustrates an example method of one-way authentication where asupply item security device 60 on supply item 55 authenticates systemsecurity device 60 on controller 40. It is noted that the sametechniques and operations described above with respect to FIG. 6 may beused in this example when applicable. At block 160, SoC 70 sends a startauthentication command to a supply item security device 60 b for supplyitem security device 60 b to initiate authentication of system securitydevice 60 a. In response to receiving the start authentication commandfrom SoC 70, supply item security device 60 b generates anauthentication challenge/command by computing a random challenge andsends the authentication challenge/command to system security device 60a at block 162.

Upon receiving the challenge from supply item security device 60 b,system security device generates a magnetic field profile response byexecuting one or more commands specified by the authentication challengeat block 164. The magnetometer device 100 measures the generatedmagnetic field profile response during a measurement interval as thesystem security device 60 a draws current from the power source whileexecuting the one or more commands, and then sends the measured magneticfield profile response to the SoC 70 to store in memory as a capturedmagnetic field profile response at block 166.

At block 168, SoC 70 generates an expected magnetic profile response bydynamically computing or generating the expected magnetic field profileresponse from the supply item security device 60 b or by reading apredetermined value from memory 105 in the same manner as discussedabove with respect to FIG. 6 . In another example, for instances wheresecurity devices 60 are instances of the same security device, a secondsecurity device may be used to generate a magnetic field profileresponse to the same authentication challenge with the same parametersand such magnetic field profile response may be used as the expectedresponse of the first security device that is to be authenticated.

At block 170, SoC 70 verifies the captured magnetic field profileresponse of system security device 60 b by comparing it with theexpected response using a statistical correlation algorithm and apredetermined threshold. At block 172, a determination is made whetherthe captured magnetic field profile response of system security device60 a matches the expected response. When it is determined at block 172that the captured magnetic field profile response of system securitydevice 60 a matches the expected response, an indication may be madethat system security device 60 a (and, consequently, controller 40) isauthentic at block 174. Otherwise, when it is determined at block 172that the captured magnetic field profile response does not match theexpected response, an indication may be made that system security device60 a (and, consequently, controller 40) is non-authentic at block 176.One or more enforcement actions may be performed to protect against theuse of the non-authentic controller.

In the example shown in FIG. 7 , one-way authentication is performed forinstances where a supply item security device 60 b on supply item 55authenticates system security device 60 a on controller 40. In otherembodiments, SoC 70 may command a supply item security device 60 a onsupply item 55 to authenticate a supply item security device 60 b onanother supply item 55 (instead of system security device 60 a oncontroller 40) by applying the same method discussed above with respectto FIG. 7 . In particular, the supply item security device 60 b on afirst supply item 55 may generate an authentication challenge/commandand send the authentication challenge/command to another supply itemsecurity device 60 b on a second supply item 55. In turn, the supplyitem security device 60 b on the second supply item 55 may generate amagnetic field profile response which is sent to SoC 70 for verificationusing the same techniques and operations discussed above.

FIG. 8 illustrates an example method of self-authentication where asystem security device 60 a on controller 40 authenticates itself. It isnoted that the same techniques and operations described above withrespect to FIGS. 6 and 7 may be used in this example when applicable. Atblock 180, SoC 70 sends a start authentication command to systemsecurity device 60 a for system security device 60 a to initiateself-authentication. In response to receiving the start authenticationcommand from SoC 70, system security device 60 a generates anauthentication challenge/command by computing a random challenge andsends the authentication challenge to itself at block 182.

At block 184, system security device 60 a generates a magnetic fieldprofile response by executing one or more commands specified by theauthentication challenge. The magnetometer device 100 measures thegenerated magnetic field profile response during a measurement intervalas the system security device 60 a draws current from the power sourcewhile executing the one or more commands, and then sends the measuredmagnetic field profile response to the SoC 70 to store in memory as acaptured magnetic field profile response at block 186.

At block 188, SoC 70 generates an expected magnetic profile response bydynamically computing or generating the expected magnetic field profileresponse from a trusted security device 60, such as from a differentsecurity device (e.g., from one of supply item security devices 60 b),or by reading a predetermined value from memory 105 in the same manneras discussed above with respect to FIGS. 6 and 7 . At block 190, SoC 70verifies the captured magnetic field profile response of system securitydevice 60 a by using the system security device 60 a to compare thecaptured magnetic field profile response in whole or in part with theexpected response using a statistical correlation algorithm and apredetermined threshold. At block 192, a determination is made whetherthe captured magnetic field profile response of system security device60 matches the expected response. When it is determined at block 192that the captured magnetic field profile response of system securitydevice 60 a matches the expected response, an indication may be madethat system security device 60 a (and, consequently, controller 40) isauthentic at block 194. Otherwise, when it is determined at block 192that the captured magnetic field profile response does not match theexpected response, an indication may be made that system security device60 a (and, consequently, controller 40) is non-authentic at block 196.One or more enforcement actions may be performed to protect against theuse of the non-authentic controller.

In the example shown in FIG. 8 , self-authentication is performed bysystem security device 60 a to authenticate itself. In otherembodiments, the same method discussed above with respect to FIG. 8 maybe applied by each supply item security device 60 b on supply items 55for authenticating itself.

As a result, the authentication of security devices using the magneticfield-based authentication methods discussed above may be used forone-way authentication (system security device 60 a authenticates supplyitem security device 60 b or vice versa) as illustrated in FIG. 6 orFIG. 7 , mutual authentication (system security device 60 a and supplyitem security device authenticate each other) as illustrated in FIG. 6and FIG. 7 together, or self-authentication (a security device 60authenticates itself) as illustrated in FIG. 8 .

Authentication schemes using magnetic field profiles have been describedabove that may be used to authenticate security devices 60. Presentedbelow, with reference to FIGS. 9-14 , are specific examples of devicesand methods executed on imaging system 10 that may be used toauthenticate security devices based on magnetic field profiles. In theexamples shown, instances of the same security device 60 are placed oncontroller 40 and on each supply item 55. Each security device 60 mayinclude a master (M) and/or slave (S) serial interface, amicrocontroller (not shown), NVM 62, and other hardware securityfeatures. The NVM 62 in the security device 60 may contain firmware anddata programmed at the factory that may be used for authenticatingsupply items. SoC 70 may directly communicate with system securitydevice 60 a while communication between SoC 70 and supply item securitydevices 60 b may go through system security device 60 a. In otherembodiments, SoC 70 may directly communicate with all security devices60 including system security device 60 a and supply item securitydevices 60 b.

In the embodiment shown in FIG. 9 , SoC 70 communicates with securitydevices 60 and magnetometer device 100 via a shared bus system 80.Shared bus system 80 may employ the Inter-Integrated Circuit (“I2C”)protocol, although many other protocols can be utilized. One wire 82 ofshared bus 80 carries data in a bidirectional manner, and the other wire83 carries clock signals to the security devices 60. While shared bussystem 80 is illustrated as a two-wire serial bus, shared parallel busstructures or other wired structures may be utilized in other exampleembodiments.

SoC 70, memory 105, magnetometer device 100, power source/voltageregulator 85 and other devices (not shown) are placed on controller 40and attached to imaging device 15. Memory on the SoC 70 may contain hostfirmware 75 and data read from memory 105 on the controller 40programmed at the factory that may be used for authenticating supplyitems 55. The master serial interface 81 of SoC 70 is connected to theslave serial interfaces 64 of the security devices and to a slave serialinterface 104 of the magnetometer device 100. SoC 70 reads parametersfrom memory 62, 95 or generates parameters randomly, and configuresdifferent devices in imaging system 10 including security devices 60 andmagnetometer(s) 100.

Power supply 50 provides power to controller 40 that is regulated to anoperating voltage by voltage regulator 85 that supplies current tosecurity devices 60 on the controller 40 and on the supply items 55through power bus 90 including one or more conductors that connect thesecurity devices 60 to the voltage regulator 85. The magnetometer device100 is located near a conductor of power bus 90 carrying current fromthe voltage regulator 85 to the security devices 60.

In the embodiment shown, magnetic field-based authentication begins withthe SoC 70 commanding the system security device 60 a to generate anauthentication challenge that is sent to the supply item security device60 b. The supply item security device 60 b responds to the challenge byexecuting one or more commands based on parameters included with theauthentication challenge. In another embodiment, the supply itemsecurity device 60 b may execute commands based on parameters stored inits NVM 62. When the supply item security device 60 b executes the oneor more commands, the supply item security device 60 b generates aunique magnetic field profile near the conductor carrying the currentdrawn from the voltage regulator 85. The magnetic field profile ismeasured by the magnetometer device 100 at a programmed measurementresolution and operating frequency during a measurement intervalbeginning with the detection of a trigger condition 78 and continuingfor a programmed measurement duration. The magnetometer device 100 sendsthe measured magnetic field profile to the SoC 70 over the serialinterface where it is captured and stored in memory as a capturedmagnetic field profile 110 and used as the response to theauthentication challenge.

The SoC 70 may then use an authentication algorithm to verify theresponse by comparing the captured magnetic field profile 110 with anexpected magnetic field profile 115. As before, the expected magneticfield profile 115 may have been predetermined and stored in memory 105or dynamically generated or computed by capturing the same magneticfield profile from the system security device 60 a. If the result of thecomparison is greater than or equal to a predetermined threshold forstatistical correlation (such as using the Pearson CorrelationCoefficient discussed above), the supply item security device 60 b isdetermined to be authentic. Otherwise, if the result of the comparisonis less than the predetermined threshold for statistical correlation,the supply item security device may be determined to be non-authentic.Each security device 60 on supply items 55 may be authenticatedindividually (one at a time) or collectively (more than one at a time)in any combination of 1 to N, where there are N security devices inimaging system 10. When security devices 60 are authenticatedcollectively, N at a time in parallel, where each security device takesT time to authenticate, there is a reduction in total authenticationtime from N*T to T. This 1/N reduction in total authentication timeenables improvements in imaging device 15 specifications (e.g., time tofirst page) that are dependent on the total authentication time of allthe security devices 60 in an imaging device 15.

In some embodiments, the measurement interval, frequency, and resolutionmay be based on unique parameters such as the trigger condition,measurement period, measurement duration and measurement resolution.Each of these commands and parameters may be stored in internal memory,such as NVM 62 of the security device 60, at the time of manufacture orreceived by secure communication from the system security device 60 a.

A response consists of a captured magnetic field profile where twoinstances of the same security device (manufactured with the same maskset and same semiconductor process) may generate a similar response(captured magnetic field profile) to a challenge composed of the samecommand and parameters. In addition, two instances of the same securitydevice may generate a different response (captured magnetic fieldprofile) to a challenge composed of the same command and parameters. Inthis case, the use of additional secret parameters stored in eachinstance of an authentic security device (such as, but not limited to,an operating frequency divisor) may be used to modify parameters of thecommands included in the challenge to change the manner in which thesecurity device executes the commands which, in turn, can furtherrandomize the response of an authentic security device. The response maybe measured by magnetometer device 100 after it has been configured bythe SoC 70 to measure a magnetic field profile with a measurementresolution and frequency beginning when a trigger condition is detectedand ending after a measurement duration, and to communicate the responseto the SoC 70 where it may be stored in memory. The magnetometer device100 may be configured based on parameters stored in NVM 62 thatdetermine the capture frequency, magnetic field range and magnetic fieldresolution. The magnetometer device 100 may be configured the same ordifferently for capturing the magnetic field profile for each securitydevice 60.

One or more expected magnetic field profiles that represent all securitydevices collectively may be predetermined by characterization of severalsecurity devices and stored in the NVM memory 105 on the controller 40or in the NVM 62 on the security device 60. In addition, one or moreexpected magnetic field profiles that represent a security device 60individually may be predetermined by characterization of the securitydevice and stored in NVM 62 on the security device. Furthermore, thepredetermined magnetic field profiles may be combined with other devicespecific information (such as a serial number of a supply item 55) andsigned with a digital signature algorithm (such as ECDSA) and encryptedwith an encryption algorithm (such as AES) and both the digitalsignature and encrypted magnetic field profile may be stored in anon-volatile memory.

An expected magnetic field profile that represents all security devicescollectively may be generated dynamically from the system securitydevice 60 a executing the same challenge and generating and capturingthe same magnetic field profile as a response. This eliminates the needto store any expected magnetic field profile in the NVM 62. Because thesystem security device and the supply item security device 60 b areinstances of the same design (manufactured with the same mask set andsame semiconductor process), it is expected that the captured magneticfield profile of the system security device 60 a will be highlycorrelated to the magnetic field profile of the supply item securitydevice 60 b and therefore suitable to use as the expected magnetic fieldprofile to authenticate a supply item security device 60 b.

Additional embodiments are described below, but these additionalembodiments should not be viewed as exhaustive. It should also beunderstood that all previous descriptions may apply in whole or in partto these additional embodiments.

In the embodiment shown in FIG. 10 , all devices are placed, located,and connected as described in the embodiment shown in FIG. 9 . However,in this embodiment, the magnetometer device 100 and the security device60 are placed on the controller 40 and are combined on a printed circuitboard (PCB) 63 and placed on one or more of the supply items 55. Themaster serial interface 81 of the SoC 70 is connected to the slaveserial interfaces 64 of each security device 60 and to the slave serialinterfaces 104 of each magnetometer device 100. Further, each securitydevice 60 is connected to the voltage regulator 85 through individualcorresponding current carrying conductors 90, 91, 92 and 93.

The authentication of supply items 55 using magnetic field profilesbegins and proceeds as previously described above with respect to FIG. 9with the difference that the magnetic field profile measurement for asecurity device 60 is made by a dedicated magnetometer device 100located with the security device 60 on a supply item 55 or on thecontroller 40. Each magnetometer device 100 communicates the magneticfield measurement result to the SoC 70 over the serial interface whereit is stored in memory as the captured magnetic field profile 110 forthe security device 60. The SoC 70 may then use an authenticationalgorithm to verify the response as previously described to determinethe authenticity of the security device on the supply item 55.

In this embodiment, security devices 60 can be authenticated usingindividual magnetic field profiles 1 to N at a time, where N is thetotal number of security devices (for example, one or more of securitydevices 60 may be authenticated substantially concurrently using one-wayauthentication, mutual authentication, or self-authentication). Whensecurity devices 60 are authenticated individually, N at a time inparallel, where each security device takes T time to authenticate, thereis a reduction in total authentication time from N*T to T. This 1/Nreduction in total authentication time enables improvements in imagingdevice 15 specifications (e.g., time to first page) that are dependenton total authentication time of all the security devices 60 in animaging device 15. Further, as with the previous embodiment, secretparameters stored in the NVM of each security device may be used tocause each security device to execute authentication challenge commandsdifferently to have a different magnetic profile response to the sameauthentication challenge.

In the embodiment shown in FIG. 11 , the magnetometer device 100 and thesecurity device 60 are placed on the controller 40 and are combined on aprinted circuit board (PCB) 63 and placed on one or more the supplyitems 55. The master serial interface 81 of the SoC 70 is connected tothe slave serial interface 64 of the system security device 60 a and themaster serial interface 67 of the system security device 60 a isconnected to the slave serial interface 64 of each supply item securitydevice 60 b and to the slave interface 104 of the magnetometer device100 on the controller 40. Further, the master serial interface 66 ofeach supply item security device 60 b is connected to the slave serialinterface 104 of the magnetometer device 100 on the supply item 55. Eachsecurity device 60 is connected to the voltage regulator 85 throughcorresponding individual current carrying conductors 90, 91, 92 and 93.

The authentication of supply items 55 using magnetic field profilesbegins and proceeds as previously described above with the differencethat the magnetic field profile measurement for a security device 60 ismade by a dedicated magnetometer device 100 located with the securitydevice 60 on a supply item 55 or on the controller 40. Each magnetometerdevice 100 communicates the magnetic field measurement result to theco-located security device 60 (on controller 40 or on supply item 55)over the master (66) and slave (104) serial interface connection betweenmagnetometer device 100 and security device 60 where it is stored inmemory as the captured magnetic field profile for the security device60. Each security device 60 may then use an authentication algorithm toverify the response by comparing the captured magnetic field profilewith the expected magnetic field profile as previously described todetermine the authenticity of the security device 60 on the supply item55 or on the controller 40.

In this embodiment, each security device 60 can authenticate itself(self-authentication) by receiving an authentication challenge from thesystem security device 60 a, generating a response, measuring theresponse with a dedicated magnetometer, capturing the magnetic fieldprofile response in memory, and verifying the response by executing theauthentication algorithm on the security device.

In the embodiment shown in FIG. 12 , the magnetometer device 100 and thesecurity device 60 may be assembled in a multi-chip module (MCM) package68. For example, a magnetometer chip (for magnetometer device 100) and asecurity chip (for security device 60) may be placed horizontally sideby side (2D package) on a substrate 68. In this arrangement, themagnetometer chip may be located near the conductor carrying current tothe security chip and the combined device may be placed on supply item55 and on controller 40 and connected as shown. In this embodiment, theslave serial interface 104 of the magnetometer chip and the slave serialinterface 64 of the security chip may be connected to the master serialinterface 81 of the SoC 70 as shown. Although not shown, otherconnection schemes are also possible in other embodiments. Theauthentication of security devices 60 using magnetic field profilesgenerated from the current drawn by a security device 60 when itexecutes an authentication challenge command and measured by amagnetometer device 100 may be carried out as previously described.

In the embodiment shown in FIG. 13 , the magnetometer device 100 and thesecurity device 60 may be assembled in a multi-chip module (MCM) package68. For example, a magnetometer chip (for magnetometer device 100) and asecurity chip (for security device 60) may be placed vertically in achip-on-chip stack (3D package) on a substrate 68. In this arrangement,the magnetometer chip (above or below the security chip) may be locatednear the conductor carrying current to the security chip and thecombined device may be placed on supply item 55 and on controller 40 andconnected as shown. In this embodiment, the slave serial interface 104of the magnetometer chip and the slave serial interface 64 of thesecurity chip may be connected to the master serial interface 81 of theSoC 70 as shown. As before, other connection schemes are possible inother embodiments. The authentication of security devices 60 usingmagnetic field profiles generated from the current drawn by a securitydevice 60 when it executes an authentication challenge command andmeasured by a magnetometer device 100 may be carried out as previouslydescribed.

In the embodiment shown in FIG. 14 , the magnetometer device 100 and thesecurity device 60 may be integrated in a single chip, where at leastone magnetometer unit (for magnetometer device 100), at least onesecurity unit (for security device 60), at least one communicationinterface (S) 64, and at least one non-volatile memory (NVM) 62) arefabricated on the same semiconductor substrate 69. In this arrangement,the magnetometer unit 100 may be located near the conductor carryingcurrent to the security unit and the integrated device may be placed onsupply item 55 and on controller 40 and connected as shown. In thisembodiment, the slave serial interface 104 of the magnetometer unit andthe slave serial interface 64 of the security unit may be connected tothe master serial interface 81 of the SoC 70 as shown. As before, otherconnection schemes are possible in other embodiments. The authenticationof security devices 60 using magnetic field profiles generated from thecurrent drawn by a security device 60 when it executes an authenticationchallenge command and measured by a magnetometer device 100 may becarried out as previously described.

In each of the embodiments, illustrated in FIGS. 10-14 , and previouslydescribed, at least one security device 60 and at least one magnetometerdevice 100 and at least one communication interface 64, 104, and atleast one non-volatile memory (NVM) 62 have been combined in multiplediscrete 63, 68 and integrated forms 69 to form a device forauthenticating supply items 55 in an imaging device 15 using magneticfield profiles generated from current drawn by the security device 60when executing an authentication challenge. Finally, these devices maybe authenticated substantially concurrently using one-wayauthentication, mutual authentication, or self-authentication.

The description of the details of the above example embodiments havebeen described in the context of using wired communication. In a furtherembodiment, security devices 60 may be connected by wireless technologyto transmit and receive challenge and response signals by antenna toimplement the authentication methods disclosed herein. In thisembodiment, a security device 60 on controller 40 and a security device60 on a supply item 55 may communicate with each other wirelessly. Asecurity device 60 on a supply item 55 and another security device 60 onanother supply item 55 may also communicate with each other wirelessly.Other embodiments are also possible including placing individual voltageregulators on each supply item 55 and connecting the voltage regulatorsto the power supply unit 50 and to the security device on the supplyitem.

With the above example embodiments, magnetic field-based methods ofauthenticating security devices have been disclosed that use one or morecommands, a trigger condition, a measurement interval, a capturedmagnetic field profile, an expected magnetic field profile, anauthentication algorithm, and a predetermined threshold to performone-way, mutual, or self-authentication of security devices on acontroller or on a supply item. It should be understood that manydifferent combinations of these commands, parameters, challenges,responses, algorithms, thresholds, protocols, devices, locations, andconnections, each with unique characteristics, may be used to implementthe magnetic field-based authentication concepts disclosed herein andall combinations of these component parts are considered embodiments ofthis invention.

The foregoing illustrates various aspects of the invention. It is notintended to be exhaustive. Rather, it is chosen to provide the best modeof the principles of operation and practical application known to theinventors so one skilled in the art can practice it without undueexperimentation. All modifications and variations are contemplatedwithin the scope of the invention as determined by the appended claims.Relatively apparent modifications include combining one or more featuresof one embodiment with those of another embodiment.

1. In an imaging system having an imaging device and a supply item, eachwith a security device chip and having access to memory, a method ofdetermining authenticity of the supply item installed and connected tothe imaging device, either or both the imaging device and supply itemhaving a conductor for passing current to the security device chips,comprising: generating an authentication challenge to the supply item,the challenge having one or more commands for execution by the supplyitem; transmitting the challenge to the supply item; receiving thechallenge at the supply item; executing the one or more commands of thechallenge at the supply item, the executing drawing the current over theconductor and generating a magnetic field; and characterizing themagnetic field, thereby indicating an authentication response to thechallenge.
 2. The method of claim 1, wherein the characterizing includesmeasuring a strength of the magnetic field.
 3. The method of claim 1,further including transmitting the authentication response from thesupply item to the imaging device.
 4. The method of claim 3, furtherincluding receiving the response at the imaging device; and comparing atthe imaging device the response with an expected response stored in thememory of the imaging device to determine authenticity of the supplyitem.
 5. The method of claim 1, further including placing a magnetometerin proximity to the conductor to measure the magnetic field.
 6. Themethod of claim 1, further including generating a magnetic field profilebased on the characterization of the magnetic field.
 7. The method ofclaim 6, further including using the magnetic field profile as theauthentication response.
 8. The method of claim 1, wherein the imagingsystem further includes another supply item having another securitydevice chip with access to memory and the imaging device transmits thechallenge to the another supply item.
 9. The method of claim 8, furtherincluding transmitting the authentication response from the supply itemto the another supply item.
 10. The method of claim 9, further includingreceiving the response at the another supply item; and comparing at theanother supply item the response with an expected response stored in thememory available to the another security device chip of the anothersupply item to determine authenticity of the supply item.
 11. The methodof claim 1, further including providing the imaging system with a powersource from which the security device chips draw current through theconductor.
 12. The method of claim 1, further including toner in ahousing of the supply item and securing the security device chip of thesupply item to the housing.
 13. The method of claim 1, further includingproviding a power bus between the security device chips of the imagingdevice and the supply item.
 14. The method of claim 1, wherein theimaging device generates the authentication challenge.
 15. The method ofclaim 14, wherein the authentication challenge is transmitted from theimaging device to the supply item.
 16. The method of claim 1, whereinthe imaging system further includes another supply item having anothersecurity device chip with access to memory and the another securitydevice chip said generates the authentication challenge.
 17. The methodof claim 16, wherein the another supply item transmits the challenge tothe supply item.
 18. The method of claim 5, further including providingthe magnetometer with either or both hall effect or magnetoresistancesensors.
 19. The imaging system of claim 5, further including triggeringa start condition from which the magnetometer is configured to measurethe magnetic field during a measurement duration.
 20. In an imagingsystem having an imaging device and first and second toner cartridges,each of the imaging device and the toner cartridges having a securitydevice chip and having access to memory, a method of determiningauthenticity of the toner cartridges installed and connected to theimaging device, at least one of the imaging device and the tonercartridges having a conductor for passing current to the security devicechips, comprising: generating in the imaging device an authenticationchallenge to the toner cartridges, the challenge having one or morecommands for execution by the security device chips of the tonercartridges; transmitting the challenge from the imaging device to boththe toner cartridges; receiving the challenge at said both the tonercartridges; executing the one or more commands of the challenge at thesecurity device chips of both the toner cartridges, the executingdrawing the current over the conductor and generating a plurality ofunique magnetic fields; measuring the unique magnetic fields, therebyindicating authentication responses from said both toner cartridges tothe challenge for the imaging device to determine the authenticity ofsaid both toner cartridges.